A SYN port
scan is often the most effective type of port scan to launch directly
against a target IP network space. SYN
scanning
is extremely fast, allowing you to scan large networks quickly.

Inverse TCP port scanning

Inverse scanning types (particularly FIN, Xmas, and NULL) take
advantage of idiosyncrasies in certain TCP/IP stack implementations.
This scanning type isn't effective when scanning
large network spaces, although it is useful when testing and
investigating the security of specific hosts and small network
segments.

Third-party TCP port scanning

Using a combination of vulnerable network components and TCP
spoofing, third-party TCP port scans can be effectively launched.
Scanning in this fashion has two benefits: hiding the true source of
a TCP scan and assessing the filters and levels of trust between
hosts. Although time consuming to undertake, third-party scanning is
extremely useful when applied correctly.

UDP port scanning

Identifying accessible UDP services can be undertaken easily only if
ICMP type 3 code 3 (destination port unreachable) messages are
allowed back through filtering mechanisms that protect target
systems. UDP services can sometimes be used to gather useful data or
directly compromise hosts (the DNS, SNMP, TFTP, and BOOTP services in
particular).

IDS evasion and filter circumvention

Intrusion detection systems and other security mechanisms can be
rendered ineffective by using multiple spoofed decoy hosts when
scanning or by fragmenting probe packets using
nmap or fragroute. Filters
such as firewalls, routers, and even software (including the
Microsoft IPsec filter) can sometimes be bypassed using specific
source TCP or UDP ports, source routing, or stateful attacks.